Virtual Administrator’s September 2023 Patch Recommendations
This month Microsoft released patches for 61 vulnerabilities with 5 rated “Critical” in severity.
All patches will be approved in our patch policy.
A modest number of patches this month. Two zero-day flaws fixed. CVE-2023-36761 is a Microsoft Word “information disclosure” vulnerability. Simply previewing the file can cause the exploit to trigger. The other zero-day fixed is CVE-2023-36802. It’s an “elevation of privilege” flaw in the “Microsoft Streaming Service Proxy” built into Windows 10, 11 and Windows Server versions. CVE-2023-38148 is a weakness in the Internet Connection Sharing service on Windows. Unauthenticated attackers could leverage the flaw to install malware by sending a specially crafted data packet to a vulnerable Windows system connected to the same network segment. Three of the critical rated patches are Remote Code Execution (RCE) problems affecting Visual Studio (CVE-2023-36792, CVE-2023-36793, and CVE-2023-36796) allowing arbitrary code execution when opening a malicious package file. CVE-2023-29332is a vulnerability in Microsoft’s Azure Kubernetes service. It could allow a remote, unauthenticated attacker to gain Kubernetes Cluster administration privileges. Known Issues with SharePoint Server patch. A ClickOnce problem with the July Preview update was corrected. There are two CPU issues outline in “Head Up” below. One was triggered by the August Preview update. Microsoft is blaming Intel. Also this month Microsoft announced Exchange patches that were actually release last month – see “FYI” below. New SSU for Windows Server 2012/2012 R2.
Disclosed: CVE-2023-36761, CVE-2023-36802
Exploited: CVE-2023-36761
FYI Last month’s Exchange Security Updates announced this month?
“The CVEs released today were actually addressed in the August 2023 Exchange Server Security Update (SU). Due to the timing of validation of those fixes and release dates, we decided to release the CVEs as a part of September 2023 ‘Patch Tuesday’ release cycle. We know that many customers are accustomed to checking for Microsoft security releases on the second Tuesday of every month, and we did not want these CVEs to go unnoticed.”
Released: August 2023 Exchange Server Security Updates
Update 9/12/2023: As a part of the September 2023 “Patch Tuesday” we have released a few more Exchange Server CVEs. They were all addressed in our August 2023 SU (more information here). If you did not install August SUs yet, please do so now.
September 2023 release of new Exchange Server CVEs (resolved by August 2023 Security Updates)
Heads Up!
August 22, 2023 Preview for Windows 10/11 causing BSOD
Microsoft received reports about an “UNSUPPORTED_PROCESSOR” error
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22H2#3149msgdesc
Affected platforms: Windows 10 21H2/22H2, Windows 10 21H2/22H2
Resolution: After investigating these reports, we have found that the “UNSUPPORTED_PROCESSOR” error was not caused by issues in KB5029331 and is limited to a specific subset of processors. For more information on this issue, please see 13th Gen Intel® Core™ Processor Families with Performance Hybrid Architecture Blue Screen Hang Issue with Windows* Preview Updates (https://www.intel.com/content/www/us/en/support/articles/000096448/processors.html)
This issue will not affect future monthly updates released for Windows. This update will not be offered to Windows devices that might be affected by this issue and we recommend that you do not attempt to manually install it on affected devices.
Transient execution attack named gather data sampling (GDS) or “Downfall.”
KB5029778: How to manage the vulnerability associated with CVE-2022-40982
“Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.”
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:09/12/2023)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.
Known Issues
Issue with SharePoint Server. A ClickOnce bug introduced with the July Preview patch (KB5028244) was fixed with this month’s Cumulative Update KB5030211.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
SharePoint Server might cause custom .aspx files not to be displayed
Affected platforms: SharePoint Server 2019 (KB5002472)/Subscription Edition (KB5002474,KB5002501)/Enterprise Server 2016 (KB5002494)
New security enhancements in SharePoint Server might cause custom .aspx files not to be displayed under certain circumstances. Browsing to such a page generates a “92liq” event tag in SharePoint Unified Logging System (ULS) logs. For more information, see ASPX file cannot be displayed when you create a custom web part (KB5030804).
ASPX file cannot be displayed when you create a custom web part (KB5030804)
Apps deployed via ClickOnce might prompt for installation when opened
https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-22H2#3145msgdesc
Affected platforms: Windows 10 21H2/22H2
Resolved with September Cumulative Update KB5030211
After installing KB5028244 or later updates, apps which were deployed using ClickOnce might begin to prompt for installation even when the ClickOnce apps are already installed and marked as “trusted”.
Workaround: To temporarily workaround the issue, uninstall the impacted ClickOnce Application and reinstall the application again.
Resolution: This issue is resolved using Known Issue Rollback (KIR).
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5030265 – Windows Server 2008 R2 (ESU)
- KB5030269 – Windows Server 2012 R2
- KB5030278 – Windows Server 2012
- KB5030271 – Windows Server 2008 (ESU)
Security Only Update
- KB5030261 – Windows Server 2008 R2 (ESU)
- KB5030287 – Windows Server 2012 R2
- KB5030279 – Windows Server 2012
- KB5030286 – Windows Server 2008 (ESU)
Cumulative Updates
Windows 10
- KB5030220 – Original release version 1507 (OS Build 10240)
- KB5030213 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5030214 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5030211- Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5030211- Version 22H2 “November 2022 Update” (OS Build 19045)
(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)
Windows 11
- KB5030217 – 21H2 (OS Build 22000) Original release
- KB5030219- 22H2 (OS Build 22621)
Windows Server
- KB5030213 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5030214 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5030216 – Server 2022 (OS Build 20348)
September 2023 updates for Microsoft Office
Notable CVEs
CVE-2023-29332 | Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability (AKS resources with Windows OS – Image 20348.1906 or above)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29332
“An attacker who successfully exploited this vulnerability could gain Cluster Administrator privileges.”
CVE-2023-36761 | Microsoft Word Information Disclosure Vulnerability (KB5002483,KB5002497,Click to Run)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36761
“The Preview Pane is an attack vector. Exploiting this vulnerability could allow the disclosure of NTLM hashes.”
CVE-2023-36792/36793/36796 | Visual Studio Remote Code Execution Vulnerability (Microsoft .NET Framework Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36792
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36793
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-36796
“Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio. The word ‘Remote’ in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.”
CVE-2023-36802 | Microsoft Streaming Service Proxy Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36802
“An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
CVE-2023-38148 | Internet Connection Sharing (ICS) Remote Code Execution Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-38148
“This attack is limited to systems connected to the same network segment as the attacker. The attack cannot be performed across multiple networks (for example, a WAN) and would be limited to systems on the same network switch or virtual network. An unauthorized attacker could exploit this Internet Connection Sharing (ICS) vulnerability by sending a specially crafted network packet to the Internet Connection Sharing (ICS) Service.”
CVE-2023-38149 | Windows TCP/IP Denial of Service Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2023-38149
“Microsoft strongly recommends that you install the updates for this vulnerability. Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. Systems are not affected if IPv6 is disabled on the target machine.”